2000-2002 Zürcher Hochschule Winterthur - strongSec · A. Steffen, 4.03.2002, KSy_Crypto.ppt 7...

A. Steffen, 4.03.2002, KSy_Crypto.ppt 1

ZürcherHochschuleWinterthurKommunikationssysteme (KSy) - Block 8

Secure Network CommunicationPart I

Introduction to Cryptography

Secure Network CommunicationPart I

Introduction to Cryptography

Dr. Andreas Steffen

2000-2002 Zürcher Hochschule Winterthur

Introduction• Recommended literature• TerminologyCryptanalysis• Fundamental assumptions• Types of attacks• Redundancy of natural language textsClaude Shannon• Principle of confusion - substitution• Principle of diffusion - transposition and permutation• Entropy of English texts• Perfect secrecy – the one-time pad• General model of a secrecy systemSymmetric Key Cryptosystems – Block Ciphers• Common block and key sizes• Electronic code book mode (ECB)• Cipher block chaining mode (CBC)Block Ciphers – Present and Future Standards• Some popular block ciphers (DES, 3DES, IDEA, CAST, Blowfish, RC2, RC5)• Digital Encryption Standard (DES) – rounds of confusion and diffusion• Feistel networks• Advanced Encryption Standard (AES)• AES finalists (MARS, RC6, Twofish, Serpent, Rijndael)Symmetric Key Cryptosystems – Stream Ciphers• Linear feedback shift registers (LFSRs)• RC4• Output feedback mode (OFB) – block ciphers used as stream ciphers


ZürcherHochschuleWinterthurOverview

Week 1 - Introduction to CryptographyDefinitions and Basic PrinciplesCryptanalysis based on Plaintext Redundancy Symmetric Key Cryptosystems

Block Ciphers (DES, 3DES, AES)Stream Ciphers (Linear Feedback Shift Registers, RC4)

Week 2 - Public Key CryptosystemsFinite Field Algebra

Addition and Multiplication, Inverses, Fast ExponentiationPublic Key Cryptosystems

Diffie-Hellmann Key ExchangeRSA Public Key Cryptosystem

Week 3 - Secure Network ApplicationsSecure e-mail (S/MIME, PGP)Secure Socket Layer (SSL)


ZürcherHochschuleWinterthurCryptography - Literature

Modern CryptographyBruce Schneier, "Applied Cryptography:Protocols, Algorithms, and Source Code in C,2nd Edition", 784 pages, 1996,John Wiley & Sons, ISBN 0-471-11709-9

http://www.counterpane.com

History of CryptographyDavid Kahn, "The Codebreakers:The Comprehensive History of SecretCommunication from Ancient Times to theInternet", 1181 pages, 1996,Scribner Book Company, ISBN 0-684-83130-9


ZürcherHochschuleWinterthurCryptography - Literature (light)

Studienarbeit „Kryptographische Verfahren“Jörn Jachalsky, "Untersuchung kryptographischer Verfahren in der TCP/IP-Protokollarchitektur", 131 pages, 1997, Universität Hannnover, Lehrgebiet Rechnernetze undVerteilte Systeme

http://www.rvs.uni-hannover.de/arbeiten/studien/sa-jacha.html

The Code BookSimon Singh, "The Code Book : The Science of Secrecy from Ancient Egypt to Quantum Cryptography", 410 pages, 2000,

Anchor Books/Doubleday, ISBN 0-385-49532-3Fourth Estate, ISBN 1-857-02889-9


ZürcherHochschuleWinterthur

Cipher

Cryptography - Terminology I

EncryptionEK(P) = C

plaintext

weattackat dawn

P

sorqjzplvnwkghanqd

C

ciphertext

weattackat dawn

P

sorqjzplvnwkghanqd

C

DecryptionDK(C) = P

key K

key K

Messages and Encryption• A message is plaintext (sometimes called cleartext). The process of disguising amessage in such a way as to hide its substance is called encryption.

• An encrypted message is ciphertext. The process of turning ciphertext back intoplaintext is called decryption.

Algorithms and Keys• A cryptographic algorithm, also called a cipher, is the mathematical functionused for encryption and decryption.

• The security of a modern cryptographic algorithm is based on a secret key.This key might be any one of a large number of values. The range of possiblekey values is called the keyspace.• Both encryption and decryption operations are dependent on the key K and thisis denoted by the K subscript in the functions EK(P) = C and DK(C) = P

Source: Bruce Schneier, „Applied Cryptography“, Second Edition, pp. 1..3,John Wiley & Sons, 1996


ZürcherHochschuleWinterthurCryptography - Terminology II

Cryptology is a branch of mathematics

Cryptography„Art and science of

keeping messages secure“

Cryptology

Cryptanalysis„Art and science ofbreaking ciphertext“

Cryptology• The art and science of keeping messages secury is cryptography, and it is practicedby cryptographers.

• Cryptanalysts are practitioners of cryptanalysis, the art and science of breakingciphertext; that is seeing through the disguise.

• The branch of mathematics encompassing both cryptography and cryptanalysis iscryptology an its practitioners are cryptologists.

• Modern cryptologists are generally trained in theoretical mathematics – they haveto be.

Source: Bruce Schneier, „Applied Cryptography“, Second Edition, p. 1,John Wiley & Sons, 1996


ZürcherHochschuleWinterthurCryptanalysis - Fundamental Assumptions

Attacker knows every detail of the cryptographical algorithmAttacker is in possession of encryption / decryption equipment (HW machine or SW implementation)Attacker has access to an arbitrary number of plaintext / ciphertext pairs generated with the same (unknown) key.Strong cipher: Best attack should be brute force key search!

The security of a cipher should relyon the secrecy of the key only!

Auguste Kerckhoffs, „La Cryptographie militaire“, 1883

„La Cryptographie militaire“• Author: Auguste Kerckhoffs, born 1835 at Nuth, Holland• Good cryptographic algorithms are found only through thorough cryptanalysis!• Kerckhoffs deduced the following six requirements for selecting usable field ciphers:

1) the system should be, if not theoretically unbreakable, unbreakable in practice2) Compromise of the system should not inconvenience the correspondents3) The key should be remembrable without notes and should be easily changeable4) The cryptograms should be transmissible by telegraph5) the apparatus or documents should be portable and operable by a single person6) the systems should be easy, neither requiring knowledge of a long list of rules

nor involving mental strain.


ZürcherHochschuleWinterthurCryptanalysis - Types of Attacks

Ciphertext-Only AttackAttacker knows ciphertext of several messages encrypted with the same key and/or several keysRecover the plaintext of as many messages as possible or even better deduce the key (or keys)

Known-Plaintext AttackKnown ciphertext / plaintext pair of several messagesDeduce the key or an algorithm to decrypt further messages

Chosen-Plaintext Attack Attacker can choose the plaintext that gets encrypted thereby potentially getting more information about the key

Adaptive Chosen-Plaintext AttackAttacker can choose a series of plaintexts, basing the choice onthe result of previous encryption →→→→ differential cryptanalysis!

Differential Cryptanalysis• Introduced in 1990 by Eli Biham and Adi Shamir, who used it to show that for certainclasses of cryptographic algorithms an adaptive chosen plaintext attack existed thatwas much more efficient than brute force.

• Although potentially vulnerable, the „Data Encryption Standard“ (DES) was shownto be surprisingly resistant to differential cryptanalysis.- Why do the S-boxes contain exactly those optimal values that make such adifferential attack as difficult as possible?

- Why does DES use exactly 16 rounds, the minimum required to make the effortfor differential cryptanalysis about the same as a brute force approach?

Answer: Because in the early 1970s the developers at IBM already knew aboutdifferential cryptanalysis!IBM‘s Don Coppersmith wrote in 1992:

The design took advantage of certain cryptanalytic techiques, most prominentlythe technique of „differential cryptanalysis“, which were not known in the publishedliterature. After discussions with the National Security Agency (NSA), it wasdecided that disclosure of the design considerations would reveal the technique ofdifferential cryptanalysis, a powerful technique that can be used against manyciphers. This in turn would weaken the competitive advantage the United Statesenjoyed over other countries in the field of cryptography

National Security Agency (NSA)• Created in 1952 by President Harry Truman with the mandate to listen in on anddecode all foreign communications of interest to the security of the United States.

• Rumored to employ about 16‘000 people, among them about 2000 of the world‘sbest mathematicians.


ZürcherHochschuleWinterthurHow to construct a Secure Cipher?

World War II German Enigma Machine

Thomas Jefferson‘s Cipher Wheel

1 0 1 0 0 1 1 1 0 1 ...


ZürcherHochschuleWinterthurClaude Shannon 1916 - 2001

The Father of Information Theory


ZürcherHochschuleWinterthurClaude Shannon 1916 - 2001

The Father of Information Theory

Information TheoryWorked at MIT / Bell Labs„The Mathematical Theory ofCommunication“ (1948)Maximum capacity of a noisy transmission channelDefinition of the „binary digit“ (bit) as a unit of informationDefinition of „entropy“ as a measure of information

CryptographyModel of a secrecy systemDefinition of perfect secrecyBasic principles of „confusion“ and „diffusion“

Basic Principles of „Confusion“ and „Diffusion“• Throughout history the principles of „confusion“ and „diffusion“ have been used

in innumerable codes and ciphers. Shannon was the first to formulate these twoprinciples explicitely, „confusion“ standing for substitution operations and „diffusion“ standing for transposition or permutation operations. These twoprinciples are still actively used in modern ciphers.


ZürcherHochschuleWinterthurMary Stuart 1516 - 1558

Famous Victim of Successful Cryptanalysis

Mary StuartQueen of Scotland

Elizabeth IQueen of England

Codes have decided the fates of empires throughout recorded history• Mary Stuart, Queen of Scotland was put to death by her cousin Queen Elizabethof England, for the high crime of treason after spymaster Sir Francis Walsinghamcracked the secret code she used to communicate with her conspirators.

Source: Simon Singh, „The Code Book“, Doubleday, 1999



ABCDEFGHIJKLMNOPQRSTUVWXYZ

DEFGHIJKLMNOPQRSTUVWXYZABC

Substitution Table - Caesar‘s Cipher

Shannon‘s Principle of ConfusionSubstitution Cipher

MESSAGE FROM MARY STUART KILL THE QUEEN

PHVVD JHIUR PPDUB VWXDU WNLOO WKHTX HHQPHVVD JPHVVDPHVVPHP

key = 3 cyclic shifts

ABCDEFGHIJKLMNOPQRSTUVWXYZ

EYUOBMDXVTHIJPRCNAKQLSGZFW

General Substitution Table

26! possible keys

JBKKE DBMAR JJEAF KQLEA QHVII QXBNL BBP

Caesar Cipher• The famous cipher used by Julius Caesar during his campaigns replaced each

plaintext character by the character cyclicly shifted to the left.“A“ is replaced by “D“, „B“ by „E“ and finally „Z“ by „C“.This is a simple monoalphabetic substitution cipher, where each character inan alphabet is replaced by another character in the same alphabet or sometimeseven by a symbol of a different alphabet. With an alphabet of 26 characters and themost general substitution table there exist an enormous number of 26! differentkeys. This seems to make this system quite secure.

• Unfortunately monoalphabetic substitution schemes suffer from the severedrawback that with a given key, each occurence of a specific plaintext characteris always mapped to the same ciphertext character, thus preserving the well-knowncharacter count statistics of natural language plaintexts, on the basis of whichciphertexts can be cracked quite quickly.

Substitution using S-Boxes• In modern ciphers a fixed number of plaintext bits are grouped together andare substituted by a different bit combination according to a fixed lookup table.

• A software or hardware module which implements this substitution operationis called an S-Box.



4 9 1 7 5 3 2 8 6Extended key:order of columns9! = 362‘880 keys

Shannon‘s Principle of DiffusionTransposition Cipher

MESSAGE FROM MARY STUART KILL THE QUEEN

M E S S A G E F RO M M A R Y S T U A R T T HE

K I L L Q U E E N

Plaintext in

Ciphertext out

MOAEE MRQMOAEMOAEE MRQSM TUMOAEE MRQSM TUSAK EMOAEE MRQSM TUSAK EARIE RUHMOAEE MRQSM TUSAK EARIE GYLNMOAEE MRQSM TUSAK EARIE GYLNE SLFTT

Diffusion means permutation of bit or byte positions !

1 2 3 4 5 6 7 8 9 Key = 9 columns

SMTUE SLGYL NMOAE ARIER UHSAK EFTTE MRQ

Classical Transposition Cipher• In a classical transposition cipher the plaintext is written on a piece of paperin horizontal rows of c characters each. The number of columns c is part of thesecret key. After the whole text has been written down in this fashion, theciphertext is read out vertically column after column. In simpler versions thisis done in increasing column order, but in a generalized method the columnscould be chosen in any order (known of course by the authorized receiver)thereby extending the number of possible keys.

Permutation using P-Boxes• In modern ciphers a fixed number of bits are written in linear order into a bufferand are read out in a permuted order controlled by a fixed lookup table.

• A software or hardware module which implements this permutation operationis called a P-Box.


ZürcherHochschuleWinterthurMost Cryptoanalytic Attacks base on the

Redundancy of Natural Language Texts

E

26

T

18

A

16

O

16

N

14

I

13

R

13

S

12

H

12

high frequency group

D

8

L

7

U

6

C

6

M

6

medium frequency group

P

4

F

4

Y

4

W

3

G

3

B

3

V

2

low frequency group

J

1

K

1

X

1 ½

Q Z

½

rare group

Frequency table of 200 English letters


ZürcherHochschuleWinterthurEntropy of the English Language

Single character statisticsEntropy H = 4 bits / character

Written English taking into account the full contextShannon (1950): Entropy H = 0.6 ... 1.3 bits / characterSimulations (1999): Entropy H = 1.1 bits / character

What about the entropy of C source code?for (c = 0; c < 256; c++) {

i2 = (key_data_ptr[i1] + state[c] + i2) % 256;swap_byte(&state[c], &state[i2]);i1 = (i1 + 1) % key_data_len;

}

Compression before encryption increases securityGood data compression algorithms (e.g. Lempel-Ziv) remove all redundancy and come very close to the entropy of the plaintext.

Single Character Entropy• By counting the number of occurences of each character ci in a multitude of Englishtexts the single character probabilities p(ci) can be determined. Over the wholealphabet these probabilities must add up to one.

• The entropy can now be computed with the following formula

• With the statistical values from the previous page the single character entropybecomes H = 4.19 bit, which is about half the 8 bit ASCII representation requires.

p cii

( )=∑ =1

26

1

H p cp ci

i i

= ⋅=∑ ( ) log

( )1

26

21


ZürcherHochschuleWinterthurShannon‘s Definition of Perfect Secrecy

The One-Time Pad

m bits of plaintext Pwith entropy H(P)

m bits of plaintext Pwith entropy H(P)

Compression AlgorithmC(P) = Z

Compression AlgorithmC(P) = Z

H(P) ≤≤≤≤ k ≤≤≤≤ m bits of compressed plaintext Z

H(P) ≤≤≤≤ k ≤≤≤≤ m bits of compressed plaintext Z k bits of ciphertext Ck bits of ciphertext C

One-Time Padk bits of random key K

One-Time Padk bits of random key K

1 0 0 1 1 0 1 0 1 0

0 1 1 1 0 1 1 0 1 1

1 1 0 1 0 0 0 1 1 1

use random key sequenceonly once and then discard it !

Perfect Secrecy• Shannon has proven, that if correctly applied, the one-time pad becomes a perfectly secure cryptosystem.

• The plaintext is first reduced as close as possible to its true entropy by feeding itinto a good compression algorithm. If ideal compression could be achieved, thenchanging any number of bits in the compressed message would result in anothersensible message when uncompressed.

• The compressed plaintext is next XOR-ed bit-by-bit with random bits taken fromthe one-time pad, thus forming a perfectly random ciphertext. Once used these keybits must be discarded from the one-time pad and never used again.

• Without the correct key sequence it is impossible to retrieve the original plaintextsince applying any other key of the same length would also give a sensibleplaintext message after uncompression.

• Why are one-time pads used only by secret agents and e-banking customers?The secure distribution of the required keying material would pose an an enormouslogistical problem if the one-time-pad were used on a large scale!



open channel

Shannon‘s Model of a Secrecy SystemSymmetric or Secret-Key Cryptosystems

Same key used for encryption and decryptionKey must be kept absolutely secretSame key can be used for several messages, but should be changed periodically →→→→ secure key distribution problem!

EncryptionEK(P) = C

plaintext

P DecryptionDK(C) = P

ciphertext plaintext

PC

key K key K

distribution of secret-key over secure channel


ZürcherHochschuleWinterthurSecure Network Communication – Part I

Symmetric Key CryptosystemsBlock Ciphers

Symmetric Key CryptosystemsBlock Ciphers


ZürcherHochschuleWinterthurSymmetric Key Cryptosystems

Block Ciphers

ciphertext blocks n bits

n bits plaintext blocksn bits

n bits

Common Block Sizes:n = 64, 128, 256 bits

Common Key Sizes:k = 40, 56, 64, 80, 128,

168, 192, 256 bits

k bits

Key

Block Cipher

n bits

Block Ciphers• A block ciphers cuts up a plaintext of arbitrary length into a series of blocks havinga constant size of n bits. It then encrypts a single block of plaintext at a time andconverts it into a block of ciphertext. In a good block cipher each of the n bits of theciphertext block is a function of all n bits of the plaintext block and the k bits of thesecret key.

Common Block Sizes• Most block sizes currently are 64 bits but the trend is clearly going towards largerblock sizes e.g. with the Advanced Encryption Standard (AES)

Common Key Sizes• Key sizes with 40, 56 and 64 bits are clearly unsecure and should not be usedanymore. To be on the safe side use a key size of 128 bits or more.


ZürcherHochschuleWinterthurBlock Cipher Modes I

Electronic Code Book Mode (ECB)

P1

P2

P3

C1EE DD P1C1

EE C3 C3 DD P3

Sender Receiver

EE C2 DD P2C2

Electronic Code Book Mode (ECB)• In ECB block cipher mode a plaintext input block is mapped statically to aciphertext output block. With sufficient memory resources a lookup table orElectronic Code Book could be built, linking any ciphertext block patternthe ist corresponding plaintext block.

• Block ciphers in ECB mode are vulnerable to block replay attacks, becausean opponent (without knowing the key) could replay an already transmitted ciphertext block at a later time if he thinks that the block contained e.g. an encryptedmoney transfer. If a session key is kept in use sufficiently long an attacker couldalso try to build a codebook of intercepted ciphertext blocks and guessed plaintextblocks.



C1EE

EE C2

EE

P1

P2

P3 C3

Block Cipher Modes IICipher Block Chaining Mode (CBC)

IV

DD P2C2

IV

DD P1C1

C3 DD P3

Sender Receiver

Cipher Block Chaining Mode (CBC)• In order to inhibit block replay attacks and codebook compilation, modern blockciphers are usually run in cipher block chaining mode. Each plaintext block isXOR-ed with the previous ciphertext block before encryption, so that identicalplaintext blocks occuring in the same message show up as different ciphertextblocks.

• At the receiving side each block coming out of the decryption algorithm mustfirst by XOR-ed with the previously received ciphertext block in order to recoverthe plaintext. A single bit error occuring over the transmission channel will resultin the loss of one whole plaintext block plus a single bit error in the immediatelyfollowing plaintext block. Error propagation is therefore restricted to twoplaintext blocks.

• Any CBC-encrypted message must be initialized by an initialization vector (IV)that is openly transmitted over the insecure channel at the beginning of thesession. In order to avoid replay attacks an IV value should be used only onceand never be used again. This can be achieved either by assigning a monotonicallyincreasing counter or a random value to the IV.



Block CiphersPresent and Future Standards

Block CiphersPresent and Future Standards


ZürcherHochschuleWinterthurSome Popular Block Ciphers

Block SizeName of Algorithm Key Size

DES (Data Encryption Standard, IBM) 64 56

3DES (Triple DES) 64 168

IDEA (Lai / Massey, ETH Zürich) 64 128

RC2 (Ron Rivest, RSA) 64 40 ... 1024

CAST (Canada) 64 128

Blowfish (Bruce Schneier) 64 128 ... 448

Skipjack (NSA, clipper chip, was classified) 64 80

RC5 (Ron Rivest, RSA) 64 ... 256 64 ... 256


ZürcherHochschuleWinterthurData Encryption Standard (DES)

Rounds of Confusion and Diffusion

Initial PermutationInitial Permutation Strip Parity (56 bits)Strip Parity (56 bits)

Key (64 bits)Key (64 bits)

Round 1Round 1

Round 2Round 2

Round 16Round 16

Reverse PermutationReverse Permutation

Plaintext Block (64 bits)Plaintext Block (64 bits)

Ciphertext Block (64 bits)Ciphertext Block (64 bits)

Description of th Data Encrytion Standard (DES)• The key length is 56 bits. (The key is usually written as a 64-bit number, butevery eigth bit is used for parity checking and is discarded when the key isloaded into the DES algorithm.

• At ist simplest level, the algorithm is nothing more than a combination of the twobasic techniques of encryption: confusion and diffusion. The fundamental buildingblock of DES is a single combination of these techniques (a substitution followed)by a permutation) on the plaintext and based on the key. This is known as a round.DES has 16 rounds; it applies the same combination of techniques on the plaintextblock 16 times. Any round less would make DES vulnerable to differentialcryptanalysis!

• At the very beginning of the DES algorithm the 64 bit plaintext block is subjectedto an initial permutation which does not depend on the key, whereas the inverseof this permutation finishes off the algorithm and delivers the ciphertext. Thesepermutations do not affect the security of the DES algorithm and their purpose isnot quite known.


ZürcherHochschuleWinterthurOne Round of DES

Expansion PermutationExpansion Permutation

48

P-Box PermutationP-Box Permutation

S-Box SubstitutionS-Box Substitution

32

ShiftShift ShiftShift

48

CompressionPermutation

CompressionPermutation

FeistelNetwork

56

32

32

Keyi-1Keyi-1Ri-1

Ri-1Li-1Li-1

KeyiKeyiRi

RiLiLi

32

3256

Feistel Networks• At the heart of each DES round is a Feistel network, named after the IBM scientistHorst Feistel. The 64 bit block of incoming plaintext is split into a right and a lefthalf of 32 bits each. Whereas the right half becomes the left half of the output textblock at the end of the round, the left half enters a black box where it is firstexpanded to 48 bits by an expansion permutation and then XOR-ed with a 48-bitwide key. The resulting sum then enters an array of eight S-boxes with 6 input linesand 4 output lines each, producing a 32 bit wide output which then gets permutedby a P-box. The resulting output the black box is XOR-ed with the left half of theinput text block and becomes the right half of the output text block.

• Each of the 16 DES rounds has a 48 bit key of ist own, derived by continuallyshifting and permuting the full 56 bit key from round to round.


ZürcherHochschuleWinterthurAdvanced Encryption Standard (AES)

http://www.nist.gov/aes

DES is nearly 25 years old! Triple DES with a 168 bit key is the current Federal Information Processing Standard FIPS 46-3 (renewed in October 1999). Single DES with 56 bit key is permitted for legacy systems only.

Evaluation of an Advanced Encryption StandardThe National Institute of Standards and Technology (NIST,U.S. Department of Commerce) started a public contest in 1997.Out of 5 final candidates Rijndael was chosen in October 2000.

Requirements for AESAES shall be publicly defined.AES shall be a symmetric block cipher.AES shall be implementable in both hardware and software.AES shall be designed so that the key length may be increased as needed.AES block size n = 128 bits, key size k = 128, 192, 256 bits


ZürcherHochschuleWinterthurAES Finalists

MARS (IBM)Modified Feistel Network - 32 RoundsBased on mixed structure DES

RC6 (RSA)Feistel Network - 20 RoundsBased on modified RC5

Twofish (Bruce Schneier)Feistel Network - 16 RoundsBased on modified Blowfish

Serpent (Ross Anderson / Eli Biham / Lars Knudsen)Substitution Permutation Network - 32 RoundsBased on bitslice operations

Rijndael (Joan Daemen / Vincent Rijmen)Modified Substitution Permutation Network - 10 RoundsBased on Square



Symmetric Key CryptosystemsStream Ciphers

Symmetric Key CryptosystemsStream Ciphers


ZürcherHochschuleWinterthurSymmetric Key Cryptosystems

Stream Ciphers

Pseudo-RandomSequence Generator

Pseudo-RandomSequence Generator

Plaintext BitstreamPlaintext Bitstream Ciphertext BitstreamCiphertext Bitstream

KeyKey

1 1 1 1 1 1 1 1 0 0 0 0 0 0 …

1 0 0 1 1 0 1 0 1 1 0 1 0 0 …

0 1 1 0 0 1 0 1 1 1 0 1 0 0 …

Plaintext Stream

Pseudo-Random Stream

Ciphertext Stream

Stream Ciphers• Stream ciphers are based on a key stream generator that produces apseudo-random sequence initialized by a secret key. This key stream is bit-wiseXOR-ed with the plaintext bit stream, producing a ciphertext bit stream. At thereceiver an identical key stream generator initialized with the same secret key issynchronized with the incoming ciphertext stream, . By combining the ciphertextstream and the synchronized key stream a single XOR at the receiver recovers theoriginal plaintext.

Stream Ciphers versus Block Ciphers• Stream ciphers usually work on a bit-level architecture and were traditionallyimplemented in dedicated hardware (ASICs). Very high throughputs can be achieved.Single bit errors in the ciphertext affect only a single plaintext bit and do not propagate.

• Block ciphers usually work on a word-level architecture and were traditionallyimplemented as software functions. Single bit errors propagate and affect twoconsecutive plaintext blocks in CBC mode.

• Today the boundaries between stream ciphers and block ciphers have beensmeared somewhat. Stream ciphers can be used as block ciphers and vice versa.Modern stream ciphers often have word-sized internal registers and can be efficiently implented in software functions (e.g. RC4). Block ciphers have becomefaster and achieve high bandwidths.


ZürcherHochschuleWinterthurStream Ciphers

Linear Feedback Shift Registers (LFSRs)

Maximum possible sequence length is 2n - 1 with n registersLFSRs are often used as building blocks for stream ciphersGSM A5 is a cipher with 3 LFSRs of lengths 19, 22, and 23

KeyKey

1111001100

Load Key

R0 R1 R2 Rn-2 Rn-1

Linear Feedback Shift Registers (LFSRs)• Due to their finite state LFSRs themselves are very vulnerable to cryptanalysis.Only the artful combination of several LFSR building blocks with different lengthsresults in robust pseudo-random sources.

• The once powerful GSM A5 cipher containing three different LFSRs can nowadaysbe cracked in near real-time.


ZürcherHochschuleWinterthurStream Ciphers - RC4

Internal state of 256 registers (8-bits wide)

// java class definition

public class RC4 {private final static int stateSize = 256;private int state[];private int index1;private int index2;

// constructor

public RC4(int key[]) {state = new int[stateSize];this.loadKey(key);

}

...}

RC4 Stream Cipher• RC4 invented by Ron Rivest was kept secret by RSA Data Security Inc. until thesource code was anonymously leaked to a newsgroup in 1994. Restricted to40 bit keys by U.S. export regulations until recently RC4 acquired an image ofbeing unsecure. Nevertheless when used with 128 bit keys RC4 is still regardedas a secure and very elegant stream cipher by most experts.

• RC4‘s biggest advantage is its extremely simple, byte-oriented structure leadingto extremely compact software implementations. RC4 possesses an internal stateof 256 byte-wide registers which are initialized during startup by loading them with repeatedly concatenated versions of the secret key.


ZürcherHochschuleWinterthurStream Ciphers - RC4

Simple state update by swapping registers

public void stream(int data[]) {int swap, xorIndex;

for (int counter = 0; counter < data.length; counter++) {// compute next indexindex1 = (index1 + 1) % stateSize;index2 = (index2 + state[index1]) % stateSize;

// swap contents of state[index1] and state[index2]swap = state[index1];state[index1] = state[index2];state[index2] = swap;

// XOR state byte with data bytexorIndex = (state[index1] + state[index2]) % stateSize;int in = data[counter];data[counter] ^= state[xorIndex];

} }


ZürcherHochschuleWinterthurBlock Cipher Modes III

Output Feedback Mode (OFB)

IVSender Receiver

S1EE

EE S2

EE S3

IVP1

P2

P3

C2

C1

C3

C2

C2

C1

P1

P2

P3

S1

S2

S3

EE

EE

EE

Output Feed Back Mode (OFB)• A block cipher in output feedback mode works as a key stream generatorproducing a pseudo-random key sequence a block at a time. By XOR-ingthe key stream with the plaintext the block cipher actually works as a stream cipher.

2000-2002 Zürcher Hochschule Winterthur - strongSec · A. Steffen, 4.03.2002, KSy_Crypto.ppt 7...

Documents

Transcript of 2000-2002 Zürcher Hochschule Winterthur - strongSec · A. Steffen, 4.03.2002, KSy_Crypto.ppt 7...